You have an email. It looks legit and you really want to click that link, but how do you verify that it’s not a phishing scam (and you’re about to give away personal information, money, or access to your accounts or computer)? Phihing is becoming increasingly common, so it’s good to know how to identify a phishing email instead of falling for it.
We will show you where to look to have the best chance possible of identifying a phishing email instead of becoming its victim.
Step 1: Look at the from address
The from address is next, but different from, the display name. The display name can be anything the sender wants to write and is not evaluated as part of the email authentication protocols. Translation- it’s not very trustworthy. The from address is what is typically evaluated for email authentication.
Does the from address make sense? Make sure there are no “typos” or misspellings in the from address domain (the domain is everything after the @). If the company name is misspelled in the from address, that’s not a typo. It’s probably a phishing email…
Is it what you would expect for the domain of that company? If so, that doesn’t necessarily guarantee it’s legitimate. Sometimes businesses don’t use the domain we would expect to send emails. If it’s something completely off the wall, it could be a phishing attack.
NOTE: this step is important because attackers using cousin domains (look-a-like domains that can fool people by appearing to be a particular business- e.g. paypa1.com or usgovdelivery.com) can set up email authentication for their malicious domains. These domains could pass DMARC based on the cousin domain and still be malicious. If you are not sure what the domain should be, you may want to confirm that it is the right email domain for that company. You may be able to do this with a search engine or from looking at other emails you have previously received from that company.
Step 2 check the domain’s DMARC policy
Note on subdomains: businesses may use subdomains to send email (i.e send.example.com vs example.com). If you check the subdomain, and there is no policy, check the main domain next. The policy for subdomains can either be a separate policy or included with the policy for the main domain.
- Reject: 👍if the policy is Reject and the email landed in your inbox, then it is extremely likely that it is a legitimate email. Emails that fail DMARC are not delivered when the policy is Reject.
- Quarantine: 👌if the policy is Quarantine and the email landed in your inbox, it is probably legitimate. Emails that fail DMARC are delivered to the spam folder when the policy is Quarantine.
- None: 😕if the policy is None, you won’t be able to tell if it’s legitimate or not without looking further. Emails that fail DMARC are delivered as usual when the policy is None.
- No Policy:👎👎 If the domain is not using DMARC, there’s no way for you to verify the email other than calling the sender. If you can’t do that, we’d suggest you don’t trust the email. The domain owner has not prioritized security and left you with no way to confirm you’re communicating with the correct person. It would seem they don’t have anything worth communicating to you after all.
Note on percentages (ptc=): pay attention to the percentage on the DMARC policy. The percentage tells the ISP what percentage of the domain’s emails it should enforce the DMARC policy for. The default is 100%, so if none is specified, you can assume all of that domain’s emails were evaluated with that DMARC policy. If the percentage is less than 100%, you will need to look further.
A step further:
If the policy was none (or the percentage is less than 100%), then you need to go a little further to determine if the email passed authentication. You can also use this step for emails from Quarantine and Reject domains as a double check.
You need to look at the “original” message- this is the version that shows all the code in the email headers. Once you get to that version look for DMARC (you can use your browser’s “find” function to make this easier).
Check to see if it passed or failed DMARC. If it passed, it is authenticated and probably legitimate. The only chance of it being a phishing attack is if that business added too many senders to their email authentication policies AND and an attacker figured that out to exploit it (or the from address is a domain that doesn’t actually belong to the business that you think it does).
If it failed DMARC, it still could be legitimate since the business may have its senders misconfigured (which can cause legitimate emails to fail authentication). However, the safest move is to treat it as malicious. Either way, you can stop here, since DMARC is the critical protocol for monitoring and controlling email senders.
(this is going to get pretty nerdy and technical; proceed at your own risk)
If you want to keep digging, you can also look at SPF and DKIM. You could attempt to verify senders for domains that have no DMARC using this step. However, the domain may also be missing SPF and DKIM.
SPF: you need to look at the domain that was evaluated, which will be the one marked “return path.” The return path domain should match the from address domain, but it may not depending on the ESP used to send the message. The return path domain is the “bounce address,” or the return address for the email. If the email can’t be delivered to the recipient (often because the “to” address is not a real email address), then a failure message is sent back to the return path address. The return path should be the same as the from address, but some ESPs use their own domain in the return path. This allows them to do two things: 1. Monitor the number of bounces an email blast gets. Email blasts with high bounce rates were probably sent to purchased lists, which could hurt the ESP’s reputation. 2. Control the SPF used for email authentication.
This will be similar to DMARC in that if the return path passed SPF, it’s probably legitimate, if not it could go either way.
DKIM: Look to see if DKIM passed. An email may have more than one DKIM signature, especially if you are using forwarding. You can look for the “d=” domain or “i=” under DKIM to see if it matches the from address. The “d=” shows the SDID (the signing Identifier), which is the domain that claims responsibility for some part of the email transfer process, and the “i=” is the domain including the “@”.
DKIM is similar to SPF and DMARC in that if it passes with a “d=” that matches, then it is probably legitimate. If not, it may or may not be legitimate.
That’s it. DMARC makes it a bit easier to verify the sender of an email.
Fraudmarc Can help
If you own a domain and want to ensure that your customers, user, employees, and vendors can trust emails from that domain. We can help you secure your domain by implementing DMARC. We have many tools, services, and plans that make email security much more simple.